Changes when calling .cmd/.bat files on Windows (EINVAL)

[ehmicky]

On Windows, .cmd/.bat files must be interpreted by cmd.exe. Windows CreateProcess syscall (which is used under-the-hood by child_process.spawn()) automatically does this.

However, when cmd.exe is used, arguments are not escaped by Node.js. This leads to a potential shell injection. Therefore, Node.js just disallowed that behavior in Node 18.20.2, 20.12.2, 21.17.3 and 22.0.0.

This means that users calling .cmd/.bat files will now experience EINVAL errors, and must now use the shell: true option to fix this. This is quite a breaking change, so I am creating this issue for users to find the workaround. Also, I am expecting issues being created, which we can redirect to this issue.

We could potentially automatically add shell: true when detecting a .cmd/.bat file is being executed. This means resolving the executable full path (since those file extensions are usually omitted), which node-cross-spawn already does. However, doing so might create the vulnerability mentioned above, so we probably should not do anything there.